April 2006 - Posts
It is no secret that fixing bugs earlier saves a lot of time and money, helps also to meet schedule. Security bugs are no exception. What special about the security bugs is that they can be [and often are] introduced in very inital stages of app planning that is in architecture and design phase, phase when no single line of code was even written. For example, design can offer identity flow as a parameter in querystring or hidden field [why did they call it "hidden" in first place?...] - seen that many times. This is a major design security flaw that can lead to disaster like spoofed identites and elevation of privileges. How one can test for such bugs before actual coding started?
The technique is called Threat Modeling which comprised of several straightforward steps such as collecting relevant information about the arch, technologies and data flow. Then mixing and matching all these it produces list of design phase security bugs that can be rated and according to this get fixed giving proper level of mitigation to the threats.
During upcoming TechEd we'll be giving great session by Akshay Aggarwal, who is Senior Security Technologist on MS ACE team. He was presenting this topic recently on RSA conference. Akshay will present the rationale behind the technique which can be easly applied by theoretically everyone without being Subject Matter Expert in security - cool, huh? Also he'll present the new tool MAS TAM that supports the process of threat modeling.
Check these for more info:
http://msdn.microsoft.com/library/en-us/dnpag2/html/tmwa.asp?frame=true
http://blogs.msdn.com/threatmodeling/default.aspx
http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/
http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491dd&displaylang=en
I was asked some time ago on how to get built in group names. Suppose one needs to get the name of System.Security.Principal.WindowsBuiltInRole.PowerUser. Why? Say there is a need to get it right on different platforms - Englsih, German, etc. Back in the days I used reflection to accomplish this:
Type t = typeof(WindowsPrincipal);
int rid = (int)WindowsBuiltInRole.PowerUser;
object[] args = new object[1];
args[0] = rid;
string role = (string)t.InvokeMember("_GetRole",
BindingFlags.Static |
BindingFlags.NonPublic |
BindingFlags.InvokeMethod,
null,
null,
args);
Now [net fx 2.0] it is much easier and more important it is supported and one can use WellKnownSidType from System.Security.Principal namespace
http://msdn2.microsoft.com/en-US/library/system.security.principal.wellknownsidtype(VS.80).aspx
Also check on Keith Brown's relevant content:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToProgramWithSIDs.html
My favorite from there is "The day I write my last line of C code will be a very happy day for me!"
I was just pointed by JD Meier to very, very nice content. That is Developer Highway Code PDF format handbook. It summarizes major Security Engineering activites in one place.
Want to start writing secure code? - start with this.
Very practical, easy to use, well done.
Enjoy!
That's great! If someone already wants to spend her time/money/resources [which are aparently all the same] building more secure software then it could be considered already as a great start. To me, application security is not different from other application feature - really it is not. And if you adopt this approach then it is easy to handle it throught the dev projects lifecycle - no matter where the project currently is [planning, architecture, coding etc.]. If you treat Security as a feature then you can apply your skills of treating any other features, e.g. requirements, designing, building, testing, deploying, maintaining.
"Right, security is a feature. I do not get it... Is it authN, authZ, SSL, firwall?".
Who asked that? This is great question. And we do have great answer and it is Security Frame that consists of ten items [follow the link, and do not forget to check on the page's rating]
Now I guess it is much easier to handle App Security through the dev lifecycle what it has flesh and blood.
"So, where do I start?".
Oh, right...From Security Engineering perspective there is something to assist you in each project's phase. That "Something" usually consits of guidance content, checklists, and how-to's [there are actually lots more..] - start here.
Enjoy
It all started back in 2002 with BIll Gates' famous memo:
From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
"...Great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security..."
SDL was born, more on it read here. One of the tenets of SDL is that it's integrated tightly into dev process. But is dev process the same with all dev shops, just like at MS? Are these shops posses same security skills and resources? What are secuirty objectives? The real question here I believe "does MS one-size SDL fit all?". I do not think so. At least not for Line Of Business [LOB] information systems. Even inside MS there is separate team [ACE] that implements SDL-IT for MS internal LOB apps.
One of ACE members, Akshay Aggarwal is going to give Threat Modeling [TM] session @TechEd, presenting very cool new free tool MAS TAM. The session was presented recently @RSA conference with great feedback. More on TM in the next post.
So MS has SDL for its products groups, SDL-IT for internal LOB apps... What about customers? Surprise!! MSDN has it all there since 2003. That is Security Engineering from Practices and Patterns team:
- .NET Security
- Threat Modeling Web Applications
- Security Engineering Explained
- Lots more
More than 2,500 pages of guidance for practices, techniques, how-to's, and more
@TechEd, on May 9th I am going to give the Securiyt Engineering session where I'll present the topic spiced with examples from the field where these practices were successfuly implemented
See you there
Hi!
Just wanted to tell you guys that we have three sessions @Teched dedicated to the topic:
- Microsoft Secure Software Engineering Process
- Threat Modeling
- Threats and Countermeasures in action
First one I am going to present on the first day. The TM session is going to be delivered by someone from corp, and the third one is by partner. Two of presenters presented lately @RSA conference [I am not among then :-)]. Want to know more? - stay tuned. More details will come shortly...